b'July 22, 2010\n\nROSS PHILO\nEXECUTIVE VICE PRESIDENT AND CHIEF INFORMATION OFFICER\n\nDEBORAH J. JUDY\nDIRECTOR, INFORMATION TECHNOLOGY OPERATIONS\n\nCHARLES L. MCGANN, JR.\nMANAGER, CORPORATE INFORMATION SECURITY\n\nSUBJECT: Audit Report \xe2\x80\x93 UNIX Operating System Master Controls\n        (Report Number IS-AR-10-010)\n\nThis report presents the results of our audit of UNIX\xc2\xae operating system master controls\n(Project Number 10RG005IT000). We conducted this audit in support of the Postal\nService\xe2\x80\x99s regulatory requirement to comply with section 404, Management\xe2\x80\x99s\nAssessment of Internal Control, of the Sarbanes-Oxley Act of 2002 (SOX). Our\nobjective was to determine whether the Postal Service\xe2\x80\x99s UNIX operating system\nenvironment, hosting applications supporting the financial statements, complies with\nInformation Technology (IT) SOX master controls.1 This audit addresses operational\nrisk. See Appendix A for additional details about this audit.\n\nIn December 2006, Congress passed the Postal Accountability and Enhancement Act\n(the Postal Act) that included significant changes to the way the Postal Service does\nbusiness. The Postal Act requires the Postal Service to comply with SOX beginning with\nthe fiscal year (FY) 2010 annual report.\n\nConclusion\n\nThe UNIX operating system environment, hosting applications supporting the financial\nstatements, generally complies with IT SOX master controls. See Appendix C for a\nsummary of compliance with the      UNIX master controls that we tested. Specifically,\nwe tested    UNIX servers and      UNIX workstations and noted the following:\n\n       \xef\x82\xb7   All   servers complied with the administrative password management,\n           segregation of duties, and password encryption master controls.\n\n1\n    Controls designed to mitigate the risk associated with the infrastructure that supports SOX in-scope applications.\n\x0cUNIX Operating System Master Controls                                                                       IS-AR-10-010\n\n\n\n    \xef\x82\xb7    One server did not comply with\n\n    \xef\x82\xb7    Two servers did not comply with                                                                    .\n    \xef\x82\xb7    Three servers did not comply with\n\n    \xef\x82\xb7    Six servers did not comply with\n                                      .\n    \xef\x82\xb7    One workstation did not comply with\n\nWhile there was general compliance with the SOX master controls, management can\nimprove preventive and detective security controls and preserve the Postal Service\nbrand by:\n\n    \xef\x82\xb7    Limiting developer permissions within the production environment.\n    \xef\x82\xb7    Establishing approved baseline security configuration standards.\n    \xef\x82\xb7    Properly configuring account and password settings.\n    \xef\x82\xb7    Adhering to patch management procedures.\n    \xef\x82\xb7    Monitoring modifications to log configuration files and key security events.\n\nBased on our audit results, management began remediating configuration-related\nvulnerabilities during the audit.\n\nDeveloper Access to Production Environment\n\nWe identified    developers with privileged access to files across    production\n        2\nservers supporting the\n                               . File permissions provided the developers with the\ncapability to modify or delete    iles on     servers. IT SOX controls4 require\ndeveloper\xe2\x80\x99s access to the production environment be limited to read-only.5\n\nAccording to management, these servers function to stage data for transfer to the\napplication and developers require access to the servers to review log files when\nfailures occur in the file transfer process. Management submitted a risk mitigation plan6\n(RMP) on October 1, 2009, proposing compensating controls to mitigate the risk of\nunauthorized deletion of or modification to files by developers.\n\nThe SOX and Process Improvement office, the SOX Program Management Office, and\nthe chief information officer are currently reviewing the plan. If they approve the plan,\n\n2\n  These servers were not included in our sample. However because we identified this issue during our fieldwork, we\nare including the issue in this report.\n3\n  Permissions in the UNIX environment determine whether a user can read from, write to, or execute a file.\n4\n  Master Control 07.UNIX.SOD, version 7, dated December 23, 2009.\n5\n  The read-only permission allows a user to read a file but restricts the user from modifying or deleting it.\n6\n  A risk mitigation plan identifies mitigating controls that may act as a substitute for a standard IT master control and\nincludes any residual risk.\n\n\n\n\n                                                            2\n\x0cUNIX Operating System Master Controls                                                                 IS-AR-10-010\n\n\n\nthe OIG must assess the compensating controls to determine whether they\nappropriately mitigate the risk.\n\nWe recommend the director, Information Technology Operations, direct the manager,\nInformation Technology Computing Services, to:\n\n1. Review and update system permissions to ensure developers possess read-only\n   privileges to files in the production environment.\n\nConfiguration Baseline\n\nManagement has not formally approved UNIX security configuration standards. This is\nbecause Information Security Services recently created the International Business\nMachine Advanced Interactive eXecutive (IBM\xc2\xae AIX\xc2\xae) standards. Information Systems\nSecurity is currently working with management to revise and gain approval of the draft\nAIX standards and existing UNIX standards. Postal Service policy7 requires\nmanagement to implement hardening standards specific to each platform. As a result,\nwe could not assess the UNIX environment against the configuration baseline control,\nas UNIX baseline security configuration standards have not been fully established and\napproved.8 The OIG will test this control once management approves all UNIX security\nconfiguration standards.\n\nWe recommend the manager, Corporate Information Security, coordinate with the\ndirector, Information Technology Operations, to:\n\n2. Establish and approve baseline security configuration standards for all UNIX\n   operating system types.\n\nAccount and Password Management\n\nAccount and password settings were not consistent with IT master control requirements\n\n\n\n\n         administrators did not always review and update account and password\nconfigurations. Improper management of accounts and passwords increases the risk of\nunauthorized users gaining access to these systems. See Appendix B for our detailed\nanalysis of this topic.\n\n\n\n7\n  Handbook AS-805, Information Security, dated November 2009, Section 10-2.3.1, Hardening Servers.\n8\n IT Master Control 07.UNIX.Config_Baseline, version 5, dated February 5, 2010, requires management to establish\nstandard operating system security configurations and confirm, semiannually, that production configurations remain\nconsistent with approved standards.\n\n\n\n\n                                                         3\n\x0cUNIX Operating System Master Controls                                                               IS-AR-10-010\n\n\n\nWe recommend the director, Information Technology Operations, direct the manager,\nInformation Technology Computing Services, to:\n\n3. Review and update UNIX operating system user account and password settings to\n   comply with IT SOX requirements.\n\nPatch Management\n\nAdministrators did not consistently adhere to patch management procedures.\n\n\n\n\n                      IT SOX controls require administrators to apply recommended\npatches to production servers. In addition, administrators should document and obtain\napproval of all patch testing.11 Missing patches could allow a person or malware12 to\nread, change or delete files accidentally or maliciously. In addition, undocumented\ntesting could introduce patches in the environment that may cause system resources to\nbecome unavailable to users.\n\nWe recommend the director, Information Technology Operations, direct the manager,\nInformation Technology Computing Services, to:\n\n4. Install approved patches and document patch testing.\n\nLog Management\n\nAdministrators did not configure the Server Automation Software13 management utility\nto monitor modifications to log configuration files\n\n\n\n\n                                                                    administrators could\nnot consistently review key security events including log-on failures, elevation of\nprivileges by unapproved personnel, modification of logging settings or the modification\n\n\n9\n\n\n\n   IT Master Control 07.UNIX.Patch_Mgmt, version 6, dated January 15, 2010.\n11\n   IT Master Control 07.UNIX.Testing_Doc, version 5, dated January 8, 2010.\n12\n   Software programs designed to damage or perform unwanted actions on a computer system.\n13\n   A server management utility that automates operating system provisioning and patch management.\n14\n   A log management utility that enables organizations to collect, store, and analyze log data.\n\n\n\n\n                                                       4\n\x0cUNIX Operating System Master Controls                                                          IS-AR-10-010\n\n\n\nof log ownership and permissions on these servers as required by IT SOX controls and\nPostal Service policy.15\n\nWe recommend the director, Information Technology Operations, direct the manager,\nInformation Technology Computing Services, to:\n\n5. Configure the log management utility to monitor modifications to log configuration\n   files.\n\n6. Configure servers to send log events to a centralized log repository.\n\nMainframe Servers\n\nAdministrators did not correctly configure\n             Specifically,                                                        In\naddition, they did not consistently comply with the patch management process or follow\nlog management procedures to include monitoring of key security events.\n\n                                  Administrators should properly configure and monitor\nservers to mitigate the risk of unauthorized access or undetected malicious activity\noccurring on the system. See Appendix B for our detailed analysis of this topic.\n\nWe recommend the director, Information Technology Operations, direct the manager,\nInformation Technology Computing Services, to:\n\n7. Review and update Linux operating systems account and password settings to\n   comply with IT SOX requirements.\n\n8. Provide administrators with training addressing configuration, patch, and log\n   management procedures supporting IT SOX requirements.\n\nOther Matters \xe2\x80\x93 Shared User Account\n\nWe identified an undocumented, shared local user account on each\n        we reviewed. Administrators use the account to access the operating systems\nwhen directory services17 are unavailable. They track use of this account with the\napplication. However, management did not obtain formal approval for this account as\nrequired by policy.18 When notified, management took corrective action to register the\naccount in eAccess. As a result, we are not making a recommendation to address this\nissue.\n15\n   IT Master Control 07.UNIX.Sec_Log_Mntr_Config, version 4, dated March 16, 2010 and Handbook AS-805,\nSection 9-11.5 Audit Log Reviews.\n16\n   IT Master Controls 07.UNIX.Sec_Log_Mntr_Config, 07.UNIX.Revew_Sec_Logs, version 7, dated May 3, 2010,\n07.UNIX.Patch_Mgmt, and 07.UNIX.Testing_Doc.\n17\n   Directory Services provides for central authentication and authorization.\n18\n   Handbook AS-805, Section 9-4.2.4, Shared Accounts.\n\n\n\n\n                                                     5\n\x0cUNIX Operating System Master Controls                                                                      IS-AR-10-010\n\n\n\nManagement\xe2\x80\x99s Comments\n\nManagement agreed with our recommendations. In response to recommendation 1,\nmanagement completed action on May 30, 2010 for all systems not included in the\nRMP. Additional UNIX controls were documented in the RMP on May 30, 2010. The\nappropriate sponsors will pursue approval of the RMP and management will revoke\ndeveloper access if the plan does not receive approval. The target completion date is\nSeptember 30, 2010.\n\nIn response to recommendation 2, management has approved the IBM-AIX security\nconfiguration standards and is seeking final approval of the Solaris and Linux standards.\nThe target completion date is July 31, 2010.\n\nTo address recommendation 3, management will review and update configuration\nsettings during their semiannual configuration baseline review. In response to\nrecommendation 4, management completed and documented their patch testing and\nwill install approved patches during their current patch cycle. The target completion date\nfor recommendations 3 and 4 is August 31, 2010.\n\nManagement addressed recommendation 5 by converting to Critical System\nProtection19 monitoring as of June 25, 2010. Management requested closure of this\nrecommendation upon issuance of the final report.\n\nManagement will address recommendations 6, 7, and 8 by configuring servers to send\nlog events to a centralized server, updating Linux operating system account and\npassword settings, and providing administrators with appropriate training. The target\ncompletion dates are July 31, 2010 for recommendation 6; August 31, 2010 for\nrecommendation 7; and September 30, 2010 for recommendation 8. See Appendix D\nfor management\xe2\x80\x99s comments in their entirety.\n\nEvaluation of Management\xe2\x80\x99s Comments\n\nThe OIG considers management\xe2\x80\x99s comments responsive to the recommendations and\nmanagement\xe2\x80\x99s corrective actions should resolve the issues identified in the report.\n\nThe OIG considers recommendations 1 and 2 significant, and therefore requires OIG\nconcurrence before closure. Consequently, the OIG requests written confirmation when\ncorrective actions are completed. These recommendations should not be closed in the\nPostal Service\xe2\x80\x99s follow-up tracking system until the OIG provides written confirmation\nthat the recommendations can be closed.\n\n\n\n\n19\n     Management refers to Critical Site Protector but the product name is actually Critical System Protection.\n\n\n\n\n                                                             6\n\x0cUNIX Operating System Master Controls                                       IS-AR-10-010\n\n\n\nWe appreciate the cooperation and courtesies provided by your staff. If you have any\nquestions or need additional information, please contact Frances E. Cain, director,\nInformation Technology, or me at 703-248-2100.\n\n\n\n   E-Signed by Darrell E. Benjamin, Jr\n   VERIFY authenticity with ApproveIt\n\nDarrell E. Benjamin, Jr.\nDeputy Assistant Inspector General\n for Revenue and Systems\n\n\ncc: Harold E. Stark\n    Susan M. LaChance\n    Joseph J. Gabris\n    Corporate Audit Response Management\n\n\n\n\n                                           7\n\x0cUNIX Operating System Master Controls                                                                IS-AR-10-010\n\n\n\n                           APPENDIX A: ADDITIONAL INFORMATION\n\nBACKGROUND\n\nThe UNIX server environment includes the\n\n\n\n                                   and the IT Corporate Help Desk Organization\nsections of the Information Technology Computing Services group manage these\nservers.\n\nThe Postal Service SOX and Process Improvement office established the IT SOX\nCompliance Management Office (CMO) to manage the annual documentation, testing,\nremediation, reporting, and certification requirements to meet and maintain IT SOX\ncompliance. The IT SOX CMO is responsible for the development and implementation\nof internal IT SOX master controls, both general computer and application specific\ncontrols. The IT SOX CMO identified        master controls applicable to the UNIX\noperating system environment.\n\nOBJECTIVE, SCOPE, AND METHODOLOGY\n\nOur objective was to determine whether the Postal Service UNIX operating system\nenvironment, hosting applications supporting the financial statements, complies with IT\nSOX master controls. We limited our scope to controls applicable to the UNIX operating\nsystem environment.\n\nAs of March 2010, there were          UNIX servers in the production environment,     of\n                                                        20\nwhich support                SOX in-scope applications. To achieve our objective, we\njudgmentally selected a sample of      servers supporting             SOX in-scope\napplications and reviewed their configuration files. We also judgmentally sampled\n       applicable UNIX workstations and reviewed their screensaver inactivity timeout\nsettings. In addition, we interviewed administrators, observed key processes and\nprocedures, and reviewed applicable Postal Service policies.\n\nWe conducted this performance audit from November 2009 through July 2010 in\naccordance with generally accepted government auditing standards and included such\ntests of internal controls, as we considered necessary under the circumstances. Those\nstandards require that we plan and perform the audit to obtain sufficient and appropriate\nevidence to provide a reasonable basis for our findings and conclusions based on our\naudit objective. We believe the evidence obtained provides a reasonable basis for our\nfindings and conclusions based on our audit objective. We discussed our observations\nand conclusions with management on June 21, 2010, and included their comments\n20\n  SOX in-scope applications include financial applications supporting in-scope business processes and IT\napplications that have a pervasive impact on the IT control environment.\n\n\n\n\n                                                         8\n\x0c     UNIX Operating System Master Controls                                         IS-AR-10-010\n\n\n\n     where appropriate. We used manual and automated techniques to analyze the\n     configuration data. Based on the results of these tests and assessments, we concluded\n     the data were sufficient and reliable to use in meeting the objective.\n\n     PRIOR AUDIT COVERAGE\n\n                                              Final\n                                   Report    Report\n      Report Title                 Number     Date Report                    Results\nUNIX Access Controls at                      8/10/2009\n\n\n\n\nAccess Controls at the         I             8/15/2008   We recommended management develop\n                                                         an automated procedure to identify and\n                                                         remove from\n\n\n                                                                  Management agreed with the\nCenters for Fiscal Year                                  finding and recommendation and took\n2008                                                     action to address the issue in May 2010.\n\n\n\n\n                                                9\n\x0cUNIX Operating System Master Controls                      IS-AR-10-010\n\n\n\n\n                                         Final\n                            Report      Report\nReport Title                Number       Date Report   Results\n                                        6/3/2008\n\n\n\n\n                                          10\n\x0cUNIX Operating System Master Controls                                                             IS-AR-10-010\n\n\n\n                               APPENDIX B: DETAILED ANALYSIS\n\n\nAccount and Password Management\nAdministrators did not properly configure account and password settings\n\n\n     \xef\x82\xa7\n\n\n\n     \xef\x82\xa7\n\n     \xef\x82\xa7\n\n\n\n\n                                              did not configure their workstation to lock after 30\nminutes of inactivity.\nThe IT SOX controls21 require:\n     \xef\x82\xa7   Accounts to lock after six unsuccessful log-on attempts.\n     \xef\x82\xa7   Operating system account passwords to change from their default value.\n     \xef\x82\xa7   UNIX workstations to display a password-protected screensaver after a\n         maximum of 30 minutes of inactivity.\n     \xef\x82\xa7   Passwords changed at least every 45 days for administrative accounts22 or at\n         least every 90 days for non-administrative accounts.\nManagement took corrective actions when we brought these issues to their attention.\nMainframe Servers\n\n\n\n     \xef\x82\xa7\n     \xef\x82\xa7\n                                                                                           .\n     \xef\x82\xa7\n     \xef\x82\xa7\n                               .\n     \xef\x82\xa7\n\n\n21\n   Master Controls 07.UNIX.Account_Suspend, version 11, dated December 23, 2009,\n07.UNIX.Default_Acct_PW_Chg, version 8, dated February 22, 2010, 07.UNIX.Inactivity_Timeout, version 9, dated\nDecember 23, 2009; and 07.UNIX.PW_Parm_Config, version 4, dated December 23, 2009.\n22\n   Root is the administrative account on UNIX, Linux, and AIX operating systems.\n23\n   Master Controls 07.UNIX.Account_Suspend, and 07.UNIX.PW_Parm_Config.\n\n\n\n\n                                                      11\n\x0cUNIX Operating System Master Controls                                           IS-AR-10-010\n\n\n\n\nThe administrator took action to correct the\n               when we brought these issues to the administrator\xe2\x80\x99s attention.\n\n\n\n\n                                          12\n\x0cUNIX Operating System Master Controls                                                               IS-AR-10-010\n\n\n\n                       APPENDIX C: MASTER CONTROL COMPLIANCE\nThe table below shows the level of compliance with the 12 UNIX master controls that\nwere tested.\n\n                                 UNIX Master Controls Compliance\n                                                       Sample Number Number Percent In\n           UNIX Master Control                          Size  Tested Passed Compliance\n Configuration Baseline 24\n Administrative Password Management\n Segregation of Duties\n Password Encryption\n Default Account Password Change\n Inactivity Timeout25\n Patch Management\n Testing Documentation\n Account Suspension\n Password Parameter Configuration\n Review Security Log\n Security Log Monitor Configuration\n\n\n\n\n24\n   We did not test the configuration baseline master control because management had not approved configuration\nbaseline standards for all UNIX operating systems.\n25\n   We sampled UNIX workstations to test this master control.\n\n\n\n\n                                                       13\n\x0cUNIX Operating System Master Controls                     IS-AR-10-010\n\n\n\n                      APPENDIX D: MANAGEMENT\xe2\x80\x99S COMMENTS\n\n\n\n\n                                        14\n\x0cUNIX Operating System Master Controls        IS-AR-10-010\n\n\n\n\n                                        15\n\x0cUNIX Operating System Master Controls        IS-AR-10-010\n\n\n\n\n                                        16\n\x0c'